Hacking Humans to Reach Company Assets

The cyber-key for stealing corporate data and assets may be through vulnerable employees.

Cyber attacks have changed in recent years. Gone are the days when relatively benign bedroom hackers entered organizations to show off their skills. Attackers now are often sophisticated criminals who target employees who have access to the organization’s jewels. Instead of using blunt force, these savvy criminals use age-old human fallibility to con unwitting employees into handing over the keys to the vault.

Professional criminals like the crime opportunities they’ve found on the internet. It’s far less dangerous than slinging guns. “Cybersecurity is getting worse. Criminal gangs have discovered they can carry out crime more effectively over the internet, and there’s less chance of getting caught,” Jessica Barker, founder of the cybersecurity website Cyber.uk, told Design News . “Organized outfits are disguising themselves as businesses with offices and HR departments. Some of their employees don’t even know they’re working for a criminal enterprise. Many use traditional con-artist techniques to con their customers out of large sums of money.”

Barker noted that hacking individual employees is often the easiest way into a company. “One of the cheapest and most effective ways to target an organization is to target its people. Attackers use psychological tricks that have been used throughout mankind,” said Barker. “Using the internet, con tricks can be carried out on a large scale. The criminals do reconnaissance to find out about targets over email. Then they effectively take advantage of key human traits.”

A Dangerous Note from the CEO

The criminals enter the company’s email bloodstream and begin to take action. “One common attack comes as an email impersonating a CEO or supplier. The email looks like it came from your boss or a regular supplier, but it’s actually targeted to a specific professional in the organization,” said Barker. “The email might say, ‘We’ve acquire a new organization. We need to pay them. We need the company’s bank details, and we need to keep this quiet so it won’t affect our stock price.’ The email will go on to say, ‘We only trust you, and you need to do this immediately.’ The email comes from a criminal, using triggers like flattery, saying, ‘You’re the most trusted individual in the organization.’ The criminals play on authority and create the panic of time pressure.”

Even long-term attacks can be launched by using this tactic of a CEO message. “A company in Malaysia received some kits purporting to come from the CEO,” said Barker. “The users were told the kit needed to be installed. It took months before the company found out it didn’t come from the CEO at all.”

Instead of increased technology, some of the new hackers are deploying the classic con moves, playing against personal foibles. “They are taking advantage of those base aspects of human nature and how we’re taught to behave,” said Barker. “We have to make sure we have better awareness. For cybersecurity to be engaging, you have to have an impact

on the employees. It can’t just be background training once-a year. It has to be personal and engaging so people really get it.”

Attacking Through Social Media

As well as entering the email stream, hackers are identifying the personal interests of victims on social media. “Every kind of media is used for attacks. Social media is used to carry out reconnaissance, to identify targets and learn about them,” said Barker. “Users need to see what attackers can find out about them on Twitter or Facebook.”

The trick hackers use is to pretend they know the target. Then the get closes through personal interaction on social media. “You can look at an organization on Twitter and see who works in finance. Then they take a good look across social platform to find those individuals on social media to see if they go to a class each week or if they traveled to Iceland in 1996,” said Barker. “You can put together a spear-phishing program where you say, ‘Hey I went on this trip with you.’”

Protecting Against Attacks on Humans

The counter-action to personal hacking is education and awareness. The company can identify potential weaknesses and potential targets and then change the vulnerable aspects of the corporate environment. “We have to look at the culture of the organization. Those who are under pressure are targets. They don’t have time to study each email they get. We also have to discourage reliance on email,” said Barker. “Hackers also exploit the culture of fear, where people are punished for their mistakes. Those are the people most in danger. We need to create a culture where if someone makes a mistake, they can immediately come forward. The quicker someone comes forward, the quicker we can deal with it.”